“Shield” (verb) – to protect from danger, risk or unpleasant experience. Based on this definition, we can assume Privacy Shield is good and we don’t need to worry about sending data over to the USA? A natural assumption to make, but if you do business with American companies (customers or suppliers) you should read on.

What is Privacy Shield?

Hopefully, you will be aware that sending personal data outside of the EEA for business (broadly speaking) requires either the proverbial ‘OK’ from the EU, or use of the EU’s standard contractual clauses. Privacy Shield effectively falls into the first of those two categories as a ‘self-certification programme’ for American companies and was recognised by the EU (under an ‘adequacy decision’) and requiring companies to involved register with U.S. Department of Commerce.

What’s the problem with that then?

If you take a look at the Privacy Shield website, everything appears to be in order and if you type ‘Privacy Shield’ into your favourite search engine, you’re unlikely to see much other than an explanation of what it is, who to complain to about it and other functional links. Nowhere does it explain the potential risks or highlight what is happening behind the scenes at the European Commission HQ.

Back in June this year, the European Parliament adopted a resolution that Privacy Shield should be suspended due to its failings in relation to GDPR. That resolution called for the U.S.A. to update and overhaul the programme by 1 September 2019 – clearly this has now passed.

Unsurprisingly, the current US administration has not been keen appeasing the EU, especially since GDPR introduces particularly stringent requirements relative to most U.S. data protection laws.

But in the absence of appropriate GDPR updates to Privacy Shield, this potentially leaves a big black hole for businesses this side of the Atlantic to fall into.

What does this mean to the average SME?

The modest improvement to Privacy Shield (now planned for the end of October) may, for the time being, keep the European Parliament happy (to an extent). However, although Privacy Shield may help with your legal compliance under GDPR, commercially the door is wide open for EU citizens to launch a legal challenge against you through the courts for the actions of your American partners/providers. And don’t think you can simply pass on this risk to your American contracting partner since they will simply hide behind their limited Privacy Shield obligations.

Rather than relying on Privacy Shield which we know the European Parliament does not consider “fit for purpose” (and unlikely to be it for purpose even with imminent amendment), it may be more appropriate to enter into a comprehensive data processing agreement with your US partner and by taking this action (together with other sensible due diligence activities) you will have demonstrated you have understood your GDPR obligations fully and taken appropriate action.

So, what should your business do now?

To a certain extent, we’re all playing the waiting game on this one (there’s always the chance that end of October might bring bad news!). But action can and should be taken now. Re-evaluating agreements with American companies, doing the necessary due diligence and tightening your supply chain are all activities that will minimise risk (and hopefully come along with all of those nice advantages of having a smooth system in place!).

Do business with American companies? Let’s talk.



Fraser Gleave
Junior Commercial Contract